Berkeley CSUA MOTD:Entry 35293
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2004/12/14-15 [Computer/SW/OS/OsX, Computer/SW/Security] UID:35293 Activity:moderate
12/14   Has anyone successfully gotten ssh/scp public key
        authentication to work on Mac OS X?  I'm going from a 10.3.6 client
        machine to a 10.3.6 Server machine, but it doesn't seem to be
        looking at the key.  Is there some strange config setting I'm
        missing or am I just a tard?   -sax
        \_ - On client machine type: ssh-keygen -t dsa
           - Enter nothing for passphrase
           - Add ~/.ssh/id_dsa.pub from client as a line in
             ~/.ssh/authorized_keys on server
           \_ You can actually have passphrases and not have to wrestle
              with the authentication agent. Check out keychain
              (http://www.gentoo.org/proj/en/keychain/index.xml It works
              great, I use it all the time on my Mac. (as for the ssh prob,
              I don't have anything to add that hasn't been said) - ajani
        \_ I have, and I don't particularly recall any voodoo needed to make
           it work.  Try connecting with -vvv, and see what it says.  You
           could also try turning sshd's log level way up. -dans
        \_ Are PubkeyAuthentication and RSAAuthentication both set to yes
           in /etc/sshd_config?  (They should be by default)
           I haven't had a problem getting this to work with OS X. --ranga
        \_ As a follow up, I've gotten passwordless dsa keys to work from
           my client->soda, soda->client, and server->client, I just can't
           get anything to work going into my server.  I even tried over-
           writing my sshd_config with both soda's and my client's files,
           to no effect.  I can ssh to the server, it just won't recognize
           the public key.  I'm not sure if this is a configuration problem,
           or something particular about 10.3 Server...  I'm now going to
           try some of these suggestions, thanks!      -sax
           \_ Turns out it's an ownership problem of the home directories
              on the server.  The server was set up as an AFP server, and
              the permissions on the home folders are screwy.   -sax
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2011/2/14-4/20 [Computer/SW/Unix] UID:54039 Activity:nil
2/14    You sure soda isn't running windows in disguise?  It would explain the
        uptimes.
        \_ hardly, My winbox stays up longer.
        \_ Nobody cares about uptime anymore brother, that's what web2.0 has
           taught us.  Everything is "stateless".
           \_ You;d think gamers would care more about uptime.
	...
Cache (8192 bytes)
www.gentoo.org/proj/en/keychain/index.xml
OpenSSH as a secure, encrypted replacemen t for the venerable telnet and rsh commands. One of OpenSSH's (and the c ommercial SSH2's) intriguing features is its ability to authenticate use rs using the RSA and DSA authentication protocols, which are based upon a pair of complementary numerical "keys". And one of the main appeals of RSA and DSA authentication is the promise of being able to establish co nnections to remote systems without supplying a password. The keychain s cript makes handling RSA and DSA keys both convenient and secure. It act s as a front-end to ssh-agent, allowing you to easily have one long-runn ing ssh-agent process per system, rather than per login session. This dr amatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine i s rebooted. second article shows you how to use keychain t o set up secure, passwordless ssh access in an extremely convenient way. keychain also provides a clean, secure way for cron jobs to take advant age of RSA/DSA keys without having to use insecure unencrypted private k eys. Solaris using whatever va riant of Bourne shell you have available. keychain detects a long-running ssh-agent proces s that already holds drobbins' private keys and configures the shell env ironment appropriately. Because keychain "hooks in" to an existing ssh-a gent process, drobbins gains access to his keys without typing in his pa ssphrases, even though he just opened a brand new login session. He can now establish secure passwordless connections with any host configured t o recognize these keys. That's the only time y ou really need to reinitialize the long-running ssh-agent process. it has been broken since the changes in version 242 Now we use OSTYPE (bash) or uname to determine the system type and call ps appropriately. Fix minor issues in the test for existing gpg keys wrt DISPLAY * keychain 242 (29 Sep 2004) 29 Sep 2004; it was broken since 240 Change default --attempts to 1 since the progs ask multiple times anyway. support Sun SSH, which is really OpenSSH in disguise and a few critical outputs changed. Thanks to Nathan Bardsley for lots of help debugging on Solaris 9 15 Sep 2004; Fix pod2man output so it formats properly on SGI systems. Fix bug 26970 with first pass at gpg-agent support Fix Debian bug 269722; in automatically so that the version can be set appropriately. ignore defunct processes in ps output * keychain 233 (30 Jun 2004) 30 Jun 2004; escape the backticks in --help output Fix bug reported by Herbie Ong in email; set pidf, cshpidf and lockf variables after parsing command-line to honor --dir setting Fix bug reported by Stephan Stahl in email; make spaces in filenames work throughout keychain, even in pure Bourne shell Fix operation on HP-UX with older OpenSSH by interpreting output of ssh-add as well as the error status * keychain 232 (16 Jun 2004) 16 Jun 2004; Fix bug 53837 (keychain needs ssh-askpass) by unsetting SSH_ASKPASS when --nogui is specified * keychain 231 (03 Jun 2004) 03 Jun 2004; Fix bug 52874: problems when the user is running csh * keychain 230 (14 May 2004) 14 May 2004; Rewrite the locking code to avoid procmail * keychain 222 (03 May 2004) 03 May 2004; Call loadagent prior to generating HOSTNAME-csh file so that variables are set. sh-agent/ for the sake of Solaris, which cuts off ps -u output at 8 characters. Thanks to Clay England for reporting the problem and testing the fix. Rewrote most of the code, organized into functions, fixed speed issues involving ps, fixed compatibility issues for various UNIXes, hopefully didn't introduce too many bugs. This version has a --quick option (for me) and a --timeout option (for carpaski). Also added a Makefile and converted the man-page to pod for easier editing. Note that the pod is sucked into keychain and colorized when you run make. Added keychain man page, fixed bugs with displaying colors for keychain --help. it was being caused by "trap - foo" rather than "tail +2 -". to enable ssh-askpass, keychain now requires that the ssh_askpass var be set to point to your askpass program. org>: "If you add < /dev/null when adding the missingkeys via "ssh-add ${missingkeys}" (at line 454 of version 20) so that it reads: "ssh-add ${missingkeys} < /dev/null" then users can use program like x11-ssh-askpass in xfree to type in their passphrase. It then still works for users on shell, depending if $DISPLAY is set." fr>: Now perform help early on to avoid unnecessary processing. keychain directory (use like this: "keychain --dir /var/foo") 17 Aug 2002; net>: Martial also suggested moving help processing to earlier in the script. keychain/ directory, which makes sense particularly for NFS users so I integrated the concept into the code. com>: patch so that lockfile gets removed even if --noask is specified. de>: Replaced an awk dependency with a shell construct for improved performance. ru>: I (Daniel Robbins) solved problems reported by Marcus and Dmitry (mis-parsed command line issues) by following Dmitry's good suggestion of performing argument parsing all at once at the top of the script. integrated Cygwin support into the main keychain script; improved Cygwin support by setting "trap" appropriately. It may be time to follow this pattern and start building separate, optimized scripts for each platform so they don't get too sluggish. com) Added a "--local" option for removing the ${HOSTNAME} from the various files that keychain creates. org) Using the Bourne shell "type" builtin rather than using the external "which" command. Should make things a lot more robust and slightly faster. A one-line fix (test the error condition) has been applied. If you stop making progress providing valid passphrases, it's three strikes and you're out. this patch causes keychain to look for the corresponding public key if the private key doesn't work. ch) Frederic suggested using procmail's lockfile to serialize the execution of critical parts of keychain, thus avoiding multiple ssh-agent processes being started if you happen to have multiple xterms open automatically when you log in. Initially, I didn't think I could add this, since systems may not have the lockfile command; however, keychain will now auto-detect whether lockfile is installed; if it is, keychain will automatically use it, thus preventing multiple ssh-agent processes from being spawned. net): --nocolor test is no longer inside the test for whether "echo -e" works. According to Raymond, this works optimally on his Solaris box. SIGTERM should be sufficient and will allow ssh-agent to clean up after itself (this reverses a previously-applied patch). no): Added argument "--quiet | -q" to make the program less intrusive to the user; with it, only error and interactive messages will appear. no): Changed the format of some arguments to bring them more in line with common *nix programs: added "-h" as alias for "--help"; com): $pidf to "$pidf" fixes to allow keychain to work with paths that include spaces (for Darwin and MacOS X in particular). net): Small patch to convert "echo -n -e" to "echo -e "\c"" for FreeBSD compatibility. compatibility, signal handling, cleanup fixes 21 Sep 2001; sh-agent" (zsh fix) *keychain 14 (20 Sep 2001) 20 Sep 2001; com): "touch $foo" to ">$foo" optimization and other "don't fork" fixes. Converted ${foo#--} to a case statement for Solaris sh compatibility. This should give us Solaris and IRIX (sysV) compatibility without breaking BSD. We also now kill all our existing ssh-agent processes before starting a new one. pl): Very nice NFS fixes, colorization fixes, tcsh redirect -> grep -v fix. fi): rm -f $pidf after stopping ssh-agent fix *keychain 12 09 Sep 2001; com): "pidof" changed to "/sbin/pidof", since it's probably not in $PATH 06 Sep 2001; Aron Griffis Current Maintainer line Summary: This page contains information about Keychain, an OpenSSH and co mmercial SSH2-compatible RSA/DSA key management application. php|architect php|architect is the monthly magazine for PHP professionals, available wo rldwide in print and electronic format. A percentage of all the sales wi ll be donated back i...